PDA

View Full Version : SpyAxe - Is it ever really gone?



Oppressed
2005-12-29, 07:21
Hello :confused:

I am posting on these Forums because the one where I received assistance is closed for the Holidays and I would like some input on new issues with my XP SpyAxe infected computer.

I had believed that this scourge had been removed from my system but apparently this is not so.

After receiving a "Clean Bill of Health" I shut that computer down. Today when I turned it on my first action was to download updates for my various Security programs.

I started with Norton AntiVirus only to find on restart that my Norton had been sabotaged! I needed to Fix 5 issues but could not. Live Update seemed to work but Norton indicated this Fix had not been successful. None of my Auto Protect features could be turned on. I was also unable to complete a Full System Scan.

I next went to my start>Turn Off Computer and noticed that something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option. The note reads, "Click Turn Off to install important updates and turn off your computer. Click here to turn off without installing updates."

Needless to say I have renewed concerns especially with regards to Shutting Down my Computer.

Also, I checked for Windows Updates and what I found was also alarming. Apparently there are 3 High-priority updates for my computer (KB910437, KB905915 and KB890830) but they all show 0KB to download with the message (Downloaded; ready to install) and all have a publish date of 12/13/2005. Call me paranoid but this all seems very odd! Can I even trust that I am at a legitimate site? Or is this, another SpyAxe trick? To be on the safe side I didn't do anything. I don't know for sure but I believe that at the time I had turned the computer off these updates would not have even been available. So how could I have even downloaded them? And not installed them? I know I only found them today and took NO action at all. I also know with my Windows 98 computer I have to authorize a download but I don't know about Windows XP. Would it automatically download but not install? And it is my belief that installs require a restart NOT a Shut Down?

Anyway, next I used ewido security suite; found and installed updates; did a scan which found "2" NEW Hijacker.SpyAxe files which had previously not been found. After cleaning these I did a restart and my Norton Status was once again green (Good).

Iím still afraid my computer is a lost cause. Iím afraid to do a Shut Down and it is now going to be scheduled for a reformat thanks to the malicious &*%$&# that thinks it is fun to cost innocents their hard earned money.

I just thought I would bring this further SpyAxe infection issue to everyones attention as well, if anyone can enlighten me regarding how exactly I should expect the Windows Update to work and if this patches/fixes are legit?

Thanks in advance for any help :)

Corrine
2005-12-29, 16:39
Hi, Oppressed. Welcome to Safer Networking Forums. More than likely you had a newer variant of this infection on your computer. If you have the smitRem© fix tool on your computer, please remove it and download a new copy as shown in the thread below. The tool was updated the other night.

Please see the thread linked below for complete instructions.

As you have already posted a first HJThis log, just proceed with the remaining steps and post the other logs as reply to this topic for a final check.

Thank you.

http://forums.spybot.info/showthread.php?t=1316

md usa spybot fan
2005-12-29, 16:45
Ö Also, I checked for Windows Updates and what I found was also alarming. Apparently there are 3 High-priority updates for my computer (KB910437, KB905915 and KB890830) but they all show 0KB to download with the message (Downloaded; ready to install) and all have a publish date of 12/13/2005. Call me paranoid but this all seems very odd! Can I even trust that I am at a legitimate site? Or is this, another SpyAxe trick? To be on the safe side I didn't do anything. I don't know for sure but I believe that at the time I had turned the computer off these updates would not have even been available. So how could I have even downloaded them? And not installed them? I know I only found them today and took NO action at all. I also know with my Windows 98 computer I have to authorize a download but I don't know about Windows XP. Would it automatically download but not install? And it is my belief that installs require a restart NOT a Shut Down? Ö
This may be normal situation depending on your settings for Automatic Updates. Check your settings for Automatic Updates. In Windows XP if you have Automatic Updates set to "Download updates for me, but let me choose when to install them", then the updates will automatically download any time you are online after they are made available by Microsoft. Windows XP will normally notify you when the updates have been downloaded and are ready to be install.

As far as the rest of your questions, possibly someone can help you if you follow the scanning and posting instructions here:
Before you post a log
http://forums.spybot.info/showthread.php?t=288

Oppressed
2005-12-29, 18:06
Hello Corrine & md usa spybot fan,

Thanks for the prompt replies.

I will be away from my computer for the better part of today but will proceed with the instructions at my earliest opportunity.

md usa spybot fan,

Thanks for the information re: Windows Updates. That is most likely how the issue occurred. I received the update but not the advisory notice, probably do to SpyAxe.

Regards,
O

p.s. I sure would like to have ewido available retail in my area, it wins over Norton anyday! I'll have to check into this further :)

Corrine
2005-12-29, 22:46
I don't believe Ewido is available on the retail market, just through the website.

tashi
2005-12-30, 02:18
Hi Oppressed.

You might want to let steamwiz know if you believe the infection has returned.

The site does not appear to be down:
http://www.help2go.com/component/option,com_forum/Itemid,32/

Oppressed
2005-12-30, 05:04
Hi Corrine :)

Thanks for the information on ewido.

tashi,

I didn't realize that it was only part of the help2go Forums. I used my Favorite and went straight to the Spyware Help Boards and everything was Locked Down so I didn't think to look further.

http://www.help2go.com/component/option,com_forum/Itemid,32/page,viewtopic/t,17277/

I'll post or send a PM to steamwiz to let them know :o

Oppressed
2005-12-31, 02:58
Hi Corrine,

Thank you in advance for your patience as I work to re-learn how to use some of the steps.

I have reviewed the instructions given on the Link provided and reacquainted myself with the procedures.

Before I continue I require some additional information.

What I need to know is:

a) I have version 1.99.01 of HijackThis.exe already installed in a Folder on my C Drive. Is this the correct version or do I need to upgrade? Also, I don't have an entry in my start menu or a Desktop shortcut; previously I just ran the program by double-clicking on the icon in the Folder. Is it okay to run the program from the Folder as I did it previously?

b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?

c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?

Thanks again for helping me out with this issue.

O

Oppressed
2005-12-31, 15:17
Hi Oppressed.

You might want to let steamwiz know if you believe the infection has returned.

The site does not appear to be down:
http://www.help2go.com/component/option,com_forum/Itemid,32/

Hi tashi,

I'm posting to let you know that I have posted to let steamwiz know.


This may be normal situation depending on your settings for Automatic Updates. Check your settings for Automatic Updates. In Windows XP if you have Automatic Updates set to "Download updates for me, but let me choose when to install them", then the updates will automatically download any time you are online after they are made available by Microsoft. Windows XP will normally notify you when the updates have been downloaded and are ready to be install.

Hi md usa spybot fan,

I thought I had posted an update re this information. My computer was set up to Automatically download and install Every day at 3:00am. (Just a minute while I double-check.) I know my computer was turned on after that time and when I went manually to the Windows Update Web Site to do a manual Update using the Install Button nothing was installed. A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December. Also, on inspection the Mystery "Shield" is no longer attached to my "Shut Down" Option. The Security Center in my control panel is unavailable. My Windows Firewall shows it is turned on though. And last point of interest is that when I checked my System Restore today there was made @ 3:00:14 am the night following my original posting here a "Software Distribution Service 2.0" restore point. This was even though the computer with the issue was disconnected from the Internet at the time and still is. To me it looks like the Automatic Update took priority over an attempt to manually install the Critical Updates. This seems strange to me that I wouldn't be able to manually check for Critical Updates?

Regards,
O

steamwiz
2005-12-31, 18:51
HI Oppressed

From your first post...



something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option.


It looks like that was the windows update shield ... which is now resolved ?



Anyway, next I used ewido security suite; found and installed updates; did a scan which found "2" NEW Hijacker.SpyAxe files which had previously not been found. After cleaning these I did a restart and my Norton Status was once again green (Good).


I would like to see the ewido log showing the location of these 2 new spyaxe files ?

from post #8



a) I have version 1.99.01 of HijackThis.exe already installed in a Folder on my C Drive. Is this the correct version or do I need to upgrade? Also, I don't have an entry in my start menu or a Desktop shortcut; previously I just ran the program by double-clicking on the icon in the Folder. Is it okay to run the program from the Folder as I did it previously?


Yes to everything ... if you want a shortcut on your desktop, right click the exe file > create shortcut > drag & drop it onto your desktop, or cut & paste.



b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?


How are you trying to enable it ? is the account you are using an admin account ?

Load spybot > click "tools" > make sure "resident" is ticked > then click the resident shield on the left hand side...

Under "resident protection status" make sure both boxes are ticked. If they aren't... tick them.

If you want to uninstall & reinstall, that's OK...remember you will lose any backups spybot has made, so if you want to replace anything which has been removed by spybot, you should do that first (I doubt you have anything which is needed).... so go to add\remove programs in the Control panel and uninstall it.... then download and install a fresh copy.



c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?


The Smitrem exe file is a self extracting file, which creates a folder in the same location as the smitrem.exe file, this folder contains all the necessary files to run the tool ... to remove it simply delete the smitrem.exe file and the folder which it created.



A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December.


I wouldn't read too much into this ...The "Malicious Software removal tool for December." was successfully downloaded to my computer (KB890830) but does not show in my add\remove either (in any form)

The file downloads and runs once each month, if you want to run it more often, you need to go here :-

http://www.microsoft.com/security/malwareremove/default.mspx

When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

This is my mrt.log

***
Microsoft Windows Malicious Software Removal Tool v1.11, December 2005
Started On Sat Dec 31 14:52:06 2005

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Dec 31 14:52:30 2005
***

To see if it ran OK ... see what your log says...



The Security Center in my control panel is unavailable


I don't know what you mean by this ... are you saying that when you click the "security center" icon in Control Panel... nothing happens ?

steam

Oppressed
2006-01-01, 03:51
Hello steam :)

I have screen captures of the issues I described but I'm not certain if it is okay to post them? One of the images includes information on a Norton error message that was occurring while the program was sabotaged.

Here is the copy the ewido log with the Hijacker.SpyAxe entries. I also noticed (unrelated?) cookies but I don't recognize the location?

I will be back in an hour or so with a more detail reply.

Oh and "Happy 2006!"

Regards,
O

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:16:16 PM, 28/12/2005
+ Report-Checksum: 21618B86

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724510c3-f3c8-4fb7-879a-d99f29008a2f} -> Hijacker.SpyAxe : Cleaned with backup
HKU\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724510C3-F3C8-4FB7-879A-D99F29008A2F} -> Hijacker.SpyAxe : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wfl4kpd5gbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wgkysnc5eco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjkoamdzgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjliajazccp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjliond5gdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjny-1lcpcg.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@e-2dj6wjny-1scpek.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

Oppressed
2006-01-01, 05:33
Hello steam,

Thank you for your continued help with my issue :bigthumb:


From your first post...

===
Quote:
something resembling the SpyAxe Shield had attached itself to the "Turn Off" Option.
===

It looks like that was the windows update shield ... which is now resolved ?

This is most likely correct. The Shield in question was the same as the one that I later found displayed in the Control Panel as the icon for the "Security Center". I was concerned because I had never encountered that message before and I had it set in my mind that installing updates requires a Restart not a Shut Down :o



===
Quote:
b) I have Spybot-S&D Version 1.4 installed already but I think that it is not running properly. (I cannot make the Resident "SDHelper" active.) If advisable, I would like to uninstall and reinstall this version. If this is okay, I need to know if there are any special instructions?
===

How are you trying to enable it ? is the account you are using an admin account ?

I am unclear about use of an admin account? I remember that when I would start the computer in Safe Mode I would be prompted about which user and would answer Admin but I never had to enter a password or anything. Generally speaking how would I know which account I was using?


Load spybot > click "tools" > make sure "resident" is ticked > then click the resident shield on the left hand side...

Under "resident protection status" make sure both boxes are ticked. If they aren't... tick them.

I checked the settings in my Spybot and I am able to make changes by ticking and ticking various boxes including the Resident "Tea Timer". The Resident "SD Helper" highlights but I am unable to place a tick in the box. I believe I may have inadvertantly deleted the entry for this function because I did not fully understand how to use the Resident "Tea Timer" window?


If you want to uninstall & reinstall, that's OK...remember you will lose any backups spybot has made, so if you want to replace anything which has been removed by spybot, you should do that first (I doubt you have anything which is needed).... so go to add\remove programs in the Control panel and uninstall it.... then download and install a fresh copy.

No worry about my wanting to Recover anything ;)



===
Quote:
c) The current version of smitRem that is on my desktop is 2.8 (according to the log from the last fix.) I am not sure how to remove it, do I just delete the entries on my desktop and then empty my Recycle Bin or are there specific instructions?
===

The Smitrem exe file is a self extracting file, which creates a folder in the same location as the smitrem.exe file, this folder contains all the necessary files to run the tool ... to remove it simply delete the smitrem.exe file and the folder which it created.

Thanks I will proceed with the removal.



===
Quote:
A side note is that the Malicious Software removal tool for November was displaying on my Add/Remove programs list before I went to bed that night. When I awoke the next morning it was gone and 2 of the 3 critical updates were installed. The missing one was the Malicious Software removal tool for December.
===

I wouldn't read too much into this ...The "Malicious Software removal tool for December." was successfully downloaded to my computer (KB890830) but does not show in my add\remove either (in any form)

The file downloads and runs once each month, if you want to run it more often, you need to go here :-

http://www.microsoft.com/security/ma...e/default.mspx

When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

-snip-

To see if it ran OK ... see what your log says...

Thanks for letting me know that there is a log and how to find it. I will check after I finish this reply.



===
Quote:
The Security Center in my control panel is unavailable
===

I don't know what you mean by this ... are you saying that when you click the "security center" icon in Control Panel... nothing happens ?

When I access the "Security Center" in the Control panel I see the following message:


Security Essentials

The Security Center is currently unavailable because the "Security Center" service has not started or was stopped. Please close this windo, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Manage security settings for:

*icon* Internet Options *icon* Automatic Updates *icon* Windows Firewall


Hopefully I haven't missed responding to something important?

4 1/2 hours to 2006 for me ... see you next year :beerbeerb

bitman
2006-01-01, 08:59
steamwiz and Oppressed: Excuse me for butting in, but thought a couple pieces of info could help.

I am unclear about use of an admin account? I remember that when I would start the computer in Safe Mode I would be prompted about which user and would answer Admin but I never had to enter a password or anything. Generally speaking how would I know which account I was using?

I checked the settings in my Spybot and I am able to make changes by ticking and ticking various boxes including the Resident "Tea Timer". The Resident "SD Helper" highlights but I am unable to place a tick in the box. I believe I may have inadvertantly deleted the entry for this function because I did not fully understand how to use the Resident "Tea Timer" window?
Spybot's SDHelper.dll which is also known as Bad Download Blocker will not allow itself to be enabled (ticked box) if the dll file doesn't exist in the main Spybot S&D folder under the Program Files folder. This might have been deleted by malware, though there could be other causes. A non-administrator can generally enable/disable this since it's actually a BHO (Browser Helper Object).

A reinstall of the program is one way to recover the SDHelper.dll file, but I believe they've also got a copy posted somewhere for download since a couple malware target this file for deletion. Ask Lonny, I can't find the reference.


No worry about my wanting to Recover anything ;)
A normal uninstall of Spybot S&D deletes most configuration items, including logs, but not the Recovery files. This is so you won't loose these backups during a panic uninstall where someone suspects that Spybot is causing a problem.

steamwiz
2006-01-01, 21:37
Hi

I won't quote anything, we're going to get confused with quotes of quotes of quotes...

--
The 2 spyaxe "files" referenced in the ewido report, are not files, they are registry keys which got missed in the cleanup, I don't believe you still have a spyaxe problem...

--
You say you don't recognise the location?

C:\Documents and Settings\Derek\Cookies

The cookies which were found, I believe come from ebay ... they are believed to be tracking cookies so should be removed.

As for windows updates requiring a Restart or a Shut Down ... it's the same thing really isn't it.

--
re: admin accounts...

"Generally speaking how would I know which account I was using?"

Go to the Control Panel and click "user accounts" ... if it says "computer administrator" next to the account, it has admin rights

See bitman's post about the "SD Helper"

--
RE: security Center

Let's start the service and see if that helps



Start > Run > Type: services.msc > Click OK

Scroll down to and double click Security Center service

Set the "startup type" to Automatic

Click the Start button > When Security Center service has started, close Services...

--
bitman ... please feel free to "Butt in" anytime...

By the way, I took the comment about the admin account directly from the relevant page in spybot itself..."With an administration account, you can also install or uninstall the blocker here"

Thanks for the tip about spybot not deleting the recovery files ... I didn't know that.

--
Well I think that's everything, if I've missed anything... let me know.

steam

bitman
2006-01-02, 02:36
Oppressed: See steamwiz' comments above.

steamwiz:


By the way, I took the comment about the admin account directly from the relevant page in spybot itself..."With an administration account, you can also install or uninstall the blocker here"
I hadn't realized you were referring to installation, I was focused on the enable via the check (tick) box.

For more clarity; the 'Show more information' entry you referenced above is slightly inaccurate. It's correct to state that only an Administrator account can install the SDHelper.dll file, or TeaTimer.exe for that matter, in the main Spybot S&D Program Files folder when using the NTFS file system with a Win 2000/XP OS.

However, the check box to enable both the SDHelper and TeaTimer resident programs is created in the HKey_Current_User portion of the registry since the Spybot S&D 1.3 version. So each user can individually enable or disable either of these once they are installed using an Adminstrator account, which is always done during the main installation process.

Oppressed
2006-01-02, 08:15
bitman,

Thank you for the assistance provided.

steamwiz,

I have very little understanding of the workings of Windows XP. I have only owned and used one other personal computer which was running with Windows 98SE.

Also, my understanding of the workings of computers comes from information and advice given by others. One piece of information was that a Shut Down and a Restart might not always provide the same end result. I believe this information came after a software install or upgrade repeatedly failed because I had used a Shut Down rather then a Restart. Being quite gullible I am sure I have been easlily mislead on many occasions and it now appears that instance was one of those times.

The reason I do not recognize the location is because Internet Explorer is not mentioned. As well the use of the word Documents and Settings is new. Maybe a Windows XP term?

I apologize for any inconvienance I have caused you do to my lack of understanding of and appropriate use technical terminology.

LonnyRJones,

If you are reading this Thread I would like to request instructions for replacing the SDHelper.dll

If I am required to complete the process suggested by Corrine before this will be allowed please let me know so I can proceed.

Regards and Happy New Year to All,
O

Oppressed
2006-01-02, 08:22
p.s. steamwiz, Thank you for the information on recognizing Admin Accounts and on starting the Security Center.

steamwiz
2006-01-02, 15:57
HI bitman

I think we are saying the same thing here...

If the sdhelper was not installed when spybot was installed, then ticking the box will install and enable it ...on an admin account

If you try to tick it on a non-admin account you will not be able to.

Oppressed ... If your husband installed spybot on his admin account, but did not install the sdhelper, and your account is a non-admin account, you wont be able to install or enable it.

If both of your accounts are admin, then you can forget all of this as it does not apply to you.

Go here :- start > MY Computer > C: > Program Files > Spybot - Search & Destroy ... that's...

C:\Program Files\Spybot - Search & Destroy

Look in this folder and see if you have an SDHelper.dll file ....

let us know...

====
This I would like confirmed by bitman or someone else first

If you don't see one... Go here :-

http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper

and download SDHelper.dll

Copy the file to the C:\Program Files\Spybot - Search & Destroy

The SDHelper.dll file at Merijn's site says (version 1.3) and is 728 KB in size

The current SDHelper file on my computer is 834 KB (version 1.4)

Is it OK to use the one on Merijn's site ? or do we need to get the one from this site (if we can find it)

--
The C:\Documents and Settings folder is a standard folder on all XP systems and contains all the user accounts...

Win2000 & WinME also have a Documents and Settings folder

steam

Oppressed
2006-01-02, 19:11
Oppressed ... If your husband installed spybot on his admin account, but did not install the sdhelper, and your account is a non-admin account, you wont be able to install or enable it.

If both of your accounts are admin, then you can forget all of this as it does not apply to you.

Thank you again for your assistance.

I was the one who installed Spybot. The "SDHelper" was working up till the 2nd time (3 weeks ago) when SpyAxe messed with the computer. I was visiting this Site and the "TeaTimer" warning came up stating that the Browser Helper was deleted and I responded with a "Deny change" that didn't seem to take as I was asked the question over and over and over again until I replied something like "Deny all". I thought this was the prudent answer? After this all the "Deny" buttons disappeared and the pop-up kept returning insistantly everytime I closed it. Right now I don't remember how I made it stop /go away? Maybe I unticked the "TeaTimer" box in SpybotSD Resident Window? Or finally just said "Allow"? Either would probably have had the same result?

Also, yesterday when I looked in the Control Panel under User Accounts there were only my husband's Account which is Admin and a Guest Account with the message "Guest Account is Off". I'm not certain if this is normal or if the person who built the computer created this Account for themself?



Go here :- start > MY Computer > C: > Program Files > Spybot - Search & Destroy ... that's...

C:\Program Files\Spybot - Search & Destroy

Look in this folder and see if you have an SDHelper.dll file ....

let us know...

I followed the instructions and did not find the SDHelper.dll file listed.


--
The C:\Documents and Settings folder is a standard folder on all XP systems and contains all the user accounts...

Win2000 & WinME also have a Documents and Settings folder

steam

Thanks for the information.

I look forward to reinstating the "SD Helper" when the DL information is verified.

Regards,
O

bitman
2006-01-02, 19:50
steamwiz is correct, you must be an administrator to enable/disable as well as install the SDHelper.dll file, though the file is always installed with the program. I confused this with TeaTimer.exe which can be enabled/disabled by each user individually, though it must be installed by an Administrator initially. The actual specifics for this on each version of OS and XP Home vs. Pro are slightly different, but don't really matter in this case.

Don't install that older 1.3 version of SDHelper.dll, since it isn't current and might create problems. Since from your description it appears that Spyaxe deleted the file and you may have created other issues with TeaTimer with your answers, I'm going to recommend a complete re-install of the Spybot S&D program.

First, make sure you either have the original installation file named spybotsd14.exe or download a copy from one of the mirrors found here:
http://www.spybot.info/en/mirrors/index.html

Go into Control Panel, Add/Remove Programs, click Spybot - Search & Destroy 1.4 and click Remove
Answer any prompts to uninstall the program

Now, re-install the program by double-clicking the spybotsd14.exe file and follow the prompts.

Once it's installed, check whether Spybot Scans OK and TeaTimer shows up in the System Tray. If TeaTimer starts making lots of pop-ups, let us know, but just disable it until we can help. There is a known problem with the TeaTimer buttons display which may be why you had issues with it, so leave it off if you'd rather.

Oppressed
2006-01-02, 20:13
Hello bitman,

Thank you for the instructions. I will follow them when I return home later today.

Re the TeaTimer. I had originally disabled it after discovering the display issue but turned it back on after applying an automated patch given in the relevant sticky thread. I also turned it back on after the last SpyAxe Removal process was completed. It seems to be doing it's job but I really don't know for sure?

Would it be okay to use the patch again after the reinstall?

O

bitman
2006-01-02, 20:23
Absolutely, I just didn't want to confuse you with the added instructions so I left it out.

A simple way to test that TeaTimer is operating is to tick/untick the SDHelper - Bad Download Blocker selection while Teatimer is operating. This will cause a notification dialog box that you should accept in all cases. It will also show up in the TeaTimer Resident Log once you exit and re-enter the Resident screen in Spybot.

I also found that turning off/on my Norton/Symantec antivirus real-time monitoring services caused a similar warning I could use to test TeaTimer. These are useful things to help your understanding of what's normal and what's not when using TeaTimer.

steamwiz
2006-01-02, 22:51
Thanks bitman

Oppressed I see bitman's sorting you out regards spybot:bigthumb:

By the way, If I want to check the various real-time monitoring programs are working, I go to Tools > internet options > and change the Homepage... to be immediately met with pop-ups from Spybot, spywareguard, Microsoftantispyware ...



Also, yesterday when I looked in the Control Panel under User Accounts there were only my husband's Account which is Admin and a Guest Account with the message "Guest Account is Off". I'm not certain if this is normal or if the person who built the computer created this Account for themself?


The guest account is normal and is created during the install of XP...

When you boot XP, does it go to a welcome screen, with a choice of accounts or straight to your only account. Because if your husbands account is the only one you see in user accounts, it looks as though you and your husband are sharing the same account and you do not have separate accounts.

steam

Oppressed
2006-01-03, 15:51
Absolutely, I just didn't want to confuse you with the added instructions so I left it out.

A simple way to test that TeaTimer is operating is to tick/untick the SDHelper - Bad Download Blocker selection while Teatimer is operating. This will cause a notification dialog box that you should accept in all cases. It will also show up in the TeaTimer Resident Log once you exit and re-enter the Resident screen in Spybot.

I also found that turning off/on my Norton/Symantec antivirus real-time monitoring services caused a similar warning I could use to test TeaTimer. These are useful things to help your understanding of what's normal and what's not when using TeaTimer.

Thanks for the help bitman :)

I encountered a message from Teatimer both times and an additional one from Microsoftantispyware one of the time only. When I unticked I did not see a Deny button but when I re-ticked I did.

I think I need a super easy to understand tutorial for using the TeaTimer. One I can put on a sticky note, LOL :o

This whole mess has left me wondering about the appropriate use of the "Deny" button is. I just can't seem to shake this hole I have in my logic when it comes to using this product :thud: For whatever reason I don't seem to be able to develope correct connections to the choices I'm being asked to make?

(Sadly a slight case of brain damage here that, at the most inopportune times, wreaks havoc with my greymatter :rolleyes: )


Thanks bitman

Oppressed I see bitman's sorting you out regards spybot :bigthumb:

By the way, If I want to check the various real-time monitoring programs are working, I go to Tools > internet options > and change the Homepage... to be immediately met with pop-ups from Spybot, spywareguard, Microsoftantispyware ...

The guest account is normal and is created during the install of XP...

When you boot XP, does it go to a welcome screen, with a choice of accounts or straight to your only account. Because if your husbands account is the only one you see in user accounts, it looks as though you and your husband are sharing the same account and you do not have separate accounts.

steam

Hi steam,

Thanks for letting me know about the "Guest" Account.

I tried the homepage test and found Norton, Microsoftantispyware and TeaTimer pop-ups. TeaTimer would ONLY let me Allow; a Deny response kept the window repeating the same way it did when I lost the SD Helper. Even though I didn't want to change my Homepage the Allow made sure I did; after I had to repeat the process to change it back :rolleyes:

Re the Welcome Screen, the only time a choice is offered is when I am going to Safe Mode, Admin or not. I guess it is best there is only one Account and it is Admin because it simplifies my life somewhat ;)

Thanks again for all your patient help bitman & steam :bigthumb:

steamwiz
2006-01-03, 19:20
I think I need a super easy to understand tutorial for using the TeaTimer.

The simplest approach would be....

If you are installing a program, accept everything, or turn teatimer off first to avoid the popups...

If you are changing something like your homepage yourself ... then accept it...

If you are surfing the web and you suddenly get a popup ... deny ... but if you are in any doubt whether you should have denied it or not ...make a note of the URL and the exact change noted in the message, and post it on a forum for advice...



I tried the homepage test and found Norton, Microsoftantispyware and TeaTimer pop-ups. TeaTimer would ONLY let me Allow; a Deny response kept the window repeating the same way it did when I lost the SD Helper. Even though I didn't want to change my Homepage the Allow made sure I did; after I had to repeat the process to change it back


I think the most probable cause of this is that you have the homepage locked...

In spybot > tools > IE Tweaks > do you have "lock IE startpage setting against user changes" ticked ?

If it isn't, then it is probably a similar button in one of your other programs...

steam

Oppressed
2006-01-03, 22:34
The simplest approach would be....

If you are installing a program, accept everything, or turn teatimer off first to avoid the popups...

If you are changing something like your homepage yourself ... then accept it...

If you are surfing the web and you suddenly get a popup ... deny ... but if you are in any doubt whether you should have denied it or not ...make a note of the URL and the exact change noted in the message, and post it on a forum for advice...

I think the most probable cause of this is that you have the homepage locked...

In spybot > tools > IE Tweaks > do you have "lock IE startpage setting against user changes" ticked ?

If it isn't, then it is probably a similar button in one of your other programs...

steam

Thank you again for your help steam :)

I looked in the location that was given and the Box is not ticked so it must be, as you stated, something similar in another program :)

Oppressed
2006-01-05, 01:11
Just when I thought it was safe ... :confused:

Hi ... I'm back ... :thud:

I just updated my ewido definitions and completed(?) a scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:48:46 PM, 04/01/2006
+ Report-Checksum: 6790D966

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724510c3-f3c8-4fb7-879a-d99f29008a2f} -> Hijacker.SpyAxe : Cleaned with backup
HKU\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724510C3-F3C8-4FB7-879A-D99F29008A2F} -> Hijacker.SpyAxe : Cleaned with backup


::Report End

------------

As soon as the scan completed the TeaTimer popped up indicating that:

Spybot - Search & Destroy has detected an important
registry entry that has been changed.

Category: Browser Helper Object
Change: Value deleted
Entry: { 724510c3- f3c8-4fb7- 879a- d99f29008a2f }

I am only given the "Allow change" and "Remember this decision." options along with the "?" and "Info" buttons.

I notice that this is the same series of numbers, (lower case) letters and dashes as one of the objects ewido found and cleaned. This is ALSO one of two of the registry entry changes that occurred the last time when the TeaTimer popped up unexpectedly.

Did I just lose my SD Helper again? :eek:

Should I "Allow change"? Right now the window is sitting waiting on my screen under this one :-/

Oppressed
2006-01-05, 01:16
Gosh ... aren't those are the same objects that ewido cleaned the last time ...

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724510c3-f3c8-4fb7-879a-d99f29008a2f} -> Hijacker.SpyAxe : Cleaned with backup
HKU\S-1-5-21-3631192919-4047014472-3028651874-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{724510C3-F3C8-4FB7-879A-D99F29008A2F} -> Hijacker.SpyAxe : Cleaned with backup

bitman
2006-01-05, 01:32
Allow the change, you want it deleted, Spybot is remembering earlier registry entries in a snapshot database it keeps. Apparently this wasn't cleared when you uninstalled, I thought it was.


Right click the TeaTimer icon in the System Tray.
Select Settings from the pop-up.
Click each of the 4 buttons across the top and make sure they're empty, especially the Registry ones.
Delete any remembered entries by clicking the little 'X' at the far right of the line.
Click OK to exit the box.



Now right click the icon again and click Exit S&D Resident. Do NOT restart it.
Run another Ewido scan and remove anything bad it finds.
Restart TeaTimer by clicking on the file or Restarting your computer.


If Spybot complains about the changes again, accept them, you want it to allow the bad entries to be removed.

Oppressed
2006-01-05, 01:45
Hi bitman,

Thanks for the prompt reply :)

All the areas were already empty. Unless something was hidden?

I have done the Exit S&D Resident as requested and will now run another ewido scan.

Back in about 15 - 20 minutes :bigthumb:

Oppressed
2006-01-05, 02:01
Hi Bitman :bigthumb:

Thanks again :)

ewido shows clean this time. I'll see what it looks like after a restart, just me being curious ... ;)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:57:12 PM, 04/01/2006
+ Report-Checksum: F14CF4AC

+ Scan result:

No infected objects found.


::Report End

Oppressed
2006-01-05, 03:01
... ewido is still giving a clean scan :bigthumb:

tashi
2006-01-09, 10:27
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.

Glad we could help.